Share and NTFS Permission

• NTFS Permissions
• Share Permissions
• Share and NTFS Permission Similarities 共享权限和NTFS权限的相似性
• Modifying Share and NTFS Permissions修改权限
• Combining Share and NTFS Permissions组合共享权限和NTFS权限

 

NTFS Permissions

     NTFS permissions apply to any file or folder on a disk that has been formatted with NTFS.

NTFS权限应用于使用NTFS文件系统格式化的磁盘上的任何文件或文件夹.

Read	When a user is assigned Read permission, the user is allowed to view the contents, permissions, and attributes associated with a fi le or folder. 允许用户查看文件、文件夹内容、权限和属性。
Read & Execute	The Read & Execute permission is used to grant permission for a user to execute fi les. 执行文件的用户授予权限。 Any executable fi les (such as .exe, .bat, and .com) are files that can be executed or launched. If a user has only Read permission, and not Read & Execute, the fi les can’t be executed. 任何可执行的文件都可以执行或启动的文件。 如果用户只有read权限，没有read&Execute权限，你们用户无法执行文件。
List Folder Contents	The List Folder Contents permission allows a user to view the contents of a folder. 允许用户查看文件夹的内容. It will allow a user to see that fi les exist in a folder but will not apply Read permissions to those fi les. 允许用户查看文件夹中存在的文件，但是不会向这些文件应用read权限。
Write	If a user is assigned Write permission to a fi le or folder, the user can modify the fi le or folder. This includes adding new fi les or folders to a folder or making changes to existing fi les or folders. However, it does not include deleting fi les from a folder. 用户可以修改文件或文件夹，包括向文件夹中添加新文件或文件夹，或更改现有的文件或文件夹。 不能从文件夹中删除文件
Modify	Modify includes all of the permissions from Read, Read & Execute, and Change and adds the ability to delete fi les and folders. 包括read、read&excute和change中的所有权限，还拥有删除文件和文件夹的能力.
Full Control	Full Control is a combination of all the available permissions. It adds the ability to change permissions and take ownership of fi les or folders. 所有权限的组合，更改权限以及取得文件或文件夹所有权的能力。

 

Share Permissions

Share permissions apply to shares only when they are accessed over the network. There are only three share permissions:

共享权限应用于通过网络访问的共享：

Read	Users granted Read permission can read fi les and folders within the share. 读取共享中的文件和文件夹
Change	Users granted Change permission can read, execute, modify, and delete fi les and folders within the share. 可以读取、执行、修改和删除共享中的文件和文件夹.
Full Control	Users granted Full Control permission have all the permissions from Change and can also modify permissions on the share. 拥有来自change的全部权限，还可以修改共享上的权限

Share and NTFS Permission Similarities 共享权限和NTFS权限的相似性

Now that you have a basic understanding of the overall NTFS and share permissions, it’s easier

to explore the similarities, and there are many. These include:

◆ Both can be assigned either Allow or Deny.都可以分配Allow或者Deny

◆ Both are cumulative.都可以积累

◆ Deny takes precedence with both.Deny都取得优先

◆ Both support implicit deny.都支持隐式拒绝。

 

 

一、Assigning Allow or Deny

As you start working with permissions, you’ll notice that they have both Allow and Deny check boxes for each of the listed permissions. Here’s an overview of how they work:

 

◆ If the permission is set to Allow for a user or group, the user or group has this permission.

◆ If the permission is set to Deny for a user or group, the user or group does not have the permission.

◆ Permissions are cumulative权限是累积的. If a user has multiple Allow permissions assigned (such as Allow Read and Allow Change), the user has a combination of the assigned permissions各个权限的组合.

◆ If both Allow and Deny permissions are assigned for a user, Deny takes precedence.Deny优先.

 

If there aren’t any permissions assigned to a user, then the user does not have access to the object. This is referred to as an implicit deny.

如果没有和用户指派任何权限，用户无法访问这个对象，这就是隐式拒绝。

 

Both share permissions and NTFS permissions use the discretionary access control (DAC) model to control access.

共享权限和NTFS权限都使用资助访问控制DAC模型来控制访问。

 

Each object has a discretionary access control list (DACL, pronounced “dackel”). The DACL is a list of access control entries (ACEs).

每个对象都拥有一个自主访问控制列表DACL。DACL是一个访问控制项ACE的列表。

 

Each ACE identifi es a user or a group with their associated security identifi er (SID) and Allow or Deny permission. Any object can have multiple ACEs in the DACL; said another way, any object can have multiple permissions assigned.

每个ACE使用和用户或组关联的安全标识符SID以及Allow或Deny权限来标识用户或组。

在DACL中，任何对象都可以拥有多个ACE。也就是说任何对象都可以指派多个权限。

 

When a user accesses a fi le, folder, or share, the operating system compares the DACL with the user’s account and group memberships. If there’s a match, the user is granted the appropriate permission.

 

二、累积权限Cumulative Permissions

三、Deny Takes Precedence

四、Implicit Deny隐式拒绝

 

Modifying Share and NTFS Permissions修改权限

 

 

 

Combining Share and NTFS Permissions组合共享权限和NTFS权限

当用户通过共享访问文件或文件夹时，识别用户拥有的权限有时候会存在挑战.

People sometimes fi nd it challenging to identify the permissions a user will have when they access a fi le or folder via a share. We like to keep it simple with these three steps:

1. Determine the cumulative NTFS permissions.确定累积NTFS权限

2. Determine the cumulative share permissions.确定累积共享权限

3. Determine which of the two provides the least access (commonly called the most restrictive permission).确定那个权限提供最少的访问（通常称为最受限制权限）

Imagine that Sally is a member of the G_Sales and G_ITAdmins groups. The assigned permissions for the SalesData folder (shared as the SalesData share) are shown in Table 13.2.

In step 1, you need to determine the cumulative NTFS permissions.

Sally has the Read, Read & Execute, and List Folder Contents permissions as a member of the G_Sales group.

Additionally, she has Full Control permission as a member of the G_IT SalesAdmins group.

Since Full Control includes all the other permissions, her cumulative NTFS permissions are Full Control.

 

In step 2, you need to determine the cumulative share permissions.

Sally has the Read permission as a member of the G_Sales group.

Additionally, she has the Change permission as a member of the G_IT SalesAdmins group.

Since Change includes both Read and Write, her cumulative share permissions are Change.

 

The last step involves a simple question. Which permission provides the least access or is the most restrictive: Full Control or Change?

The answer is Change.

 

Change is the permission that Sally will have if accessing the share over the network.

 

How about a trick question? What is Sally’s permission when she accesses the SalesData folder locally?

 

The answer is Full Control.

 

Remember that share permissions apply only when a user accesses the share over a network.

 If the folder is accessed locally, only NTFS permissions apply.

 

 

 

Share permissions are applied when a user accesses a fi le or folder across the network, but they are not taken into consideration when a user accesses those resources locally, as they would be when sitting directly at the computer or when using resources on a terminal server. NTFS permissions, in contrast, are applied no matter how a user accesses those same resources, whether they are connecting remotely or logging in at the console. So, when accessing files locally, only NTFS permissions are applied. When accessing those same fi les remotely, the sum of both share and NTFS permissions is applied by calculating the most restrictive permissions of the two types. For more information about NTFS, see Chapter 13, “Files, Folders, and Basic Shares.”